Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords
LIKE
TWEET
SHARE
PIN
SHARE
POST
MAIL
MORE
Posted April 18, 2014 at 4:20pm by iClarified
Newly discovered malware dubbed 'Unflod Baby Panda' infects jailbroken iDevices in an attempt to steal your Apple ID and password.
Stefan Esser, a hacker known as i0n1c, details the malware that was discovered by reddit users.
On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.
Unfortunately, the origin of the malware is not known. It's believed that it may end on up jailbroken phones when a user installs pirated apps from unofficial Chinese repositories. Of course, we suggest that you never do this.
The malware is located at /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on your iDevice. The threat is digitally signed with an iPhone developer certificate registered to a person called WANG XIN. It's unclear if this is a real person, a fake persona, or a victim of certificate theft.
Here's how it works:
"The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext."
i0n1c notes that Dr. Web is the first one to identify Unflod.dylib as malicious.
Deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack; however, since the origin of the malware cannot be located, we don't know if any other malware was bundled with it. Thus, to be sure any threat is completely removed, you will need to do a full restore. Unfortunately, this means losing your jailbreak.
You can use iFile to easily check for the existence of Unflod.dylib; however, a it's like that a tweak or an update to Cydia will be released to address the malware shortly. Please follow iClarified on Twitter, Facebook, or RSS for updates.
Is the repo Very Fast checked my devices and they are clean and always Rooted ( jail broken ).
If the repo is kuaiyong you do not need a jailbreak but it helps if you know how to read.
As far as my apple id I do not have a credit card or banking info on it, it is not a good idea to have you info with any retailer.
If you are intelligent enough to Rooting your apple device and you know where you got the virus and how to remove the file then you should be fine.
I would not update to 7.1, Cydia will no doubt release a patch soon.
Blocking the ip is also a good idea or the port till the whole issued is explored but ifile is great and easy to use and should be enough for now.
So this malware only infects iOS devices that have installed cracked versions of apps from a Chinese host.
Well, stealing apps has its drawbacks. If you steal you deserve the malware problem.
This is for people with jailbroken iPhones not stock iPhones so I don't know what you're trying to say. Stock android can get malware without being rooted